Bug#945920: Random Chromium crashes

Stefan Bühler Fri, 27 Dec 2019 04:33:40 -0800

Hi,

yes, you are right, my patch only fixes the task manager crash.


I now took a look at all backtraces, and all apart the first one 
(probably older version?) seem to be the same "other" instance:

---
#0  0x000055555a77cee7 in 
memory_instrumentation::MemoryInstrumentation::RequestGlobalDump(std::vector<std::__cxx11::basic_string<char,
 std::char_traits<char>, std::allocator<char> >, 
std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, 
std::allocator<char> > > > const&, base::OnceCallback<void (bool, 
std::unique_ptr<memory_instrumentation::GlobalMemoryDump, 
std::default_delete<memory_instrumentation::GlobalMemoryDump> >)>) ()
#1  0x0000555558f8ddb0 in 
ProcessMemoryMetricsEmitter::FetchAndEmitProcessMemoryMetrics() ()
#2  0x0000555558f85e82 in (anonymous namespace)::RecordMemoryMetrics() ()
#3  0x00005555593b5165 in base::TaskAnnotator::RunTask(char const*, 
base::PendingTask*) ()
---

The underlying issue is the same: it crashes when dereferencing `this` 
(as it is NULL).

It gets started in `RecordMemoryMetricsAfterDelay`:
    
https://github.com/chromium/chromium/blob/07653652c58cc019af7f833bd63eb0c2eceaab5e/chrome/browser/metrics/chrome_browser_main_extra_parts_metrics.cc#L72-L90

The "time to live" (until the first actual call) is determined in 
`GetDelayForNextMemoryLog`:
    
https://github.com/chromium/chromium/blob/07653652c58cc019af7f833bd63eb0c2eceaab5e/services/resource_coordinator/public/cpp/memory_instrumentation/browser_metrics.cc#L52-L61

And `FetchAndEmitProcessMemoryMetrics` doesn't check the `GetInstance()` 
result either:
    
https://github.com/chromium/chromium/blob/07653652c58cc019af7f833bd63eb0c2eceaab5e/chrome/browser/metrics/process_memory_metrics_emitter.cc#L636-L642

I'm not quite sure about the consequences, for now I tried skipping 
`RecordMemoryMetrics` completely - we'll see how that goes..

So as additional patch I replaced 0x55 (`push %rbp`) at offset 
0x03a31e50 (start of `RecordMemoryMetrics`) with 0xc3 (`retq`):

$ xxd -s 0x3a31e50 -l 16 /usr/lib/chromium/chromium
03a31e50: 55bf 4000 0000 4889 e541 5453 e8cf dd49  u...@...h..ats...I
$ printf '03a31e50: c3\n' | xxd -r -  /usr/lib/chromium/chromium
$ sha1sum /usr/lib/chromium/chromium* 
fbfb255a77f38b629c19eabddff577a1b26f4395  /usr/lib/chromium/chromium
5056c781602f4bbd41f06b3bd1940b6edbd7dc8c  /usr/lib/chromium/chromium-pre-patch

cheers,
Stefan

Bug#945920: Random Chromium crashes

Reply via email to